Two security researchers earned $60,000 for hacking an Amazon Echo

Two security researchers have been crowned the top hackers in this year’s Pwn2Own hacking contest after developing and testing several high profile exploits, including an attack against an Amazon Echo.

Amat Cama and Richard Zhu, who make up Team Fluoroacetate, scored $60,000 in bug bounties for their integer overflow exploit against the latest Amazon Echo Show 5, an Alexa-powered smart display.

The researchers found that the device uses an older version of Chromium, Google’s open-source browser projects, which had been forked some time during its development. The bug allowed them to take “full control” of the device if connected to a malicious Wi-Fi hotspot, said Brian Gorenc, director of Trend Micro’s Zero Day Initiative, which put on the Pwn2Own contest.

The researchers tested their exploits in a radio-frequency shielding enclosure to prevent any outside interference.

“This patch gap was a common factor in many of the IoT devices compromised during the contest,” Gorenc told TechCrunch.

Amat Cama (left) and Richard Zhu (right), who make up Team Fluoroacetate. (Image: ZDI)

An integer overflow bug happens when a mathematical operation tries to create a number but has no space for it in its memory, causing the number to overflow outside of its allotted memory. That can have security implications for the device.

When reached, Amazon said it was “investigating this research and will be taking appropriate steps to protect our devices based on our investigation,” but did not say what measures it would take to fix the vulnerabilities — or when.

The Echo wasn’t the only internet-connected device at the show. Earlier this year the contest said hackers would have an opportunity to hack into a Facebook Portal, the social media giant’s video calling-enabled smart display. The hackers, however, could not exploit the Portal.

Microsoft’s new Chromium-based Edge browser is now in beta

Microsoft today launched the first beta builds of its new Chromium-based Edge browser for Windows and Mac. The new beta channel, which will see a new update roughly every six weeks, will join the existing dev and canary channels, which will continue to see daily and weekly updates, respectively.

Over the course of the last few months of preview releases in the existing channels, Microsoft gathered about 140,000 pieces of feedback. With this — and a sufficient amount of telemetry it also received from early adopters — the company now feels that it knows enough about how well Edge works on a wide range of machines and that it is stable enough for enthusiasts, web developers and business users to give it a try before its wider release.

“Beta represents the most stable preview channel, as features are added to Beta only after they have cleared quality testing in first the Canary channel and then the Dev channel,” Microsoft explains in today’s announcement. “Major version updates can be expected roughly every six weeks, alongside periodic minor updates for bug fixes and security.”

Screen Shot 2019 08 20 at 8.32.51 AM

At this point, Microsoft has also put all of the infrastructure in place to update the browser and tested it thoroughly through the early preview phase. If need be, that means the team can release an unscheduled beta when it discovers a bug and know that its update systems will work just fine.

Just like Chrome, Firefox and most other browsers, Microsoft will continue to test new features in the canary and developer builds before enabling them in the beta builds. The current canary build, for example, features a very useful global media control button that lets you control YouTube, Spotify and other video and music services without having to switch tabs. Features like this will come to the beta channel in the coming months.

Also available in the beta, but currently behind a flag, are Microsoft’s tracking-prevention features. Soon, the beta build will also get support for collections, Microsoft’s modern take on bookmarks, though as far as I can tell, that feature isn’t currently enabled in the canary and developer releases yet either (Correction: it went live in the canary release with this update). Other new features that’ll soon make their way to the beta are Internet Explorer mode for those companies that still use legacy applications that rely on Microsoft’s old, pre-Edge browser.

With this release, Microsoft is also launching a security bounty program for Edge. Security researchers who find and disclose any high-impact vulnerabilities in the beta and dev channel releases are eligible for rewards of up to $15,000.

As a Microsoft spokesperson stressed in an interview ahead of today’s release, the team is also quite happy about the fact that it has now contributed more than 1,000 commits to the Chromium project. That project is mostly led by Google engineers, but it’s good to see that Microsoft’s plans for ramping up its contributions are paying off. By moving to Chromium, Microsoft gave up developing its own engine. At the time, the company argued that continuing to invest in an engine that only had a few users wasn’t exactly useful in keeping the overall web ecosystem healthy, and that it could have more impact by working on Chromium instead. That work, it seems, is starting to pay off now.

As the team told me, a lot of the work so far has gone into bringing Edge to beta status and making sure that all of the core features are working. That means you won’t see a lot of features in the browser that really set Edge apart from the competition (Collections are a good example here). As those core features become ever more stable, though, we’ll see the team focus more on tools and features that will differentiate Edge from the likes of Chrome.

Personally, I switched to the new Edge shortly after the first developer and canary releases and have been on the daily update channel ever since. Despite its preview status, the browser has been very stable on both Windows 10 and the Mac. Some versions were better than others, but I didn’t experience and major blocking bugs in the process, and Edge has proven to be a fast and stable browser. That bodes well for the beta program.

What Chrome’s browser changes mean for your privacy and security

At the risk of sounding too optimistic, 2019 might be the year of the private web browser.

In the beginning, browsers were a cobbled together mess that put a premium on making the contents within look good. Security was an afterthought — Internet Explorer is no better example — and user privacy was seldom considered as newer browsers like Google Chrome and Mozilla Firefox focused on speed and reliability.

Ads kept the internet free for so long but with invasive ad-tracking at its peak and concerns about online privacy — or lack of — privacy is finally getting its day in the sun.

Chrome, which claims close to two-thirds of all global browser market share, is the latest to double down on new security and privacy features after Firefox announced new anti-tracking blockers last month, Microsoft’s Chromium-based Edge promised better granular controls to control your data, and Apple’s Safari browser began preventing advertisers from tracking you from site to site.

At Google’s annual developer conference Tuesday, Google revealed two new privacy-focused additions: better cookie controls that limit advertisers from tracking your activities across websites, and a new anti-fingerprint feature.

In case you didn’t know: cookies are tiny bits of information left on your computer or device to help websites or apps remember who you are. Cookies can keep you logged into a website, but can also be used to track what a user does on a site. Some work across different websites to track you from one website to another, allowing them to build up a profile on where you go and what you visit. Cookie management has long been an on or off option. Switching cookies off mean advertisers will find it more difficult to track you across sites but it also means websites won’t remember your login information, which can be an inconvenience.

Soon, Chrome will prevent cross-site cookies from working across domains without obtaining explicit consent from the user. In other words, that means advertisers won’t be able to see what you do on the various sites you visit without asking to track you.

Cookies that work only on a single domain aren’t affected, so you won’t suddenly get logged out.

There’s an added benefit: by blocking cross-site cookies, it makes it more difficult for hackers to exploit cross-site vulnerabilities. Through a cross-site request forgery attack, it’s possible in some cases for malicious websites to run commands on a legitimate site that you’re logged into without you knowing. That can be used to steal your data or take over your accounts.

Going forward, Google said it will only let cross-site cookies travel over HTTPS connections, meaning they cannot be intercepted, modified or stolen by hackers when they’re on their way to your computer.

Cookies are only a small part of how users are tracked across the web. These days it’s just as easy to take the unique fingerprints of your browser to see which sites you’re visiting.

Fingerprinting is a way for websites and advertisers to collect as much information about your browser as possible, including its plugins and extensions, and your device, such as its make, model and screen resolution, which creates a unique “fingerprint that’s unique to your device. Because they don’t use cookies, websites can look at your browser fingerprint even when you’re in incognito mode or private browsing.

Google said — without giving much away as to how — it “plans” to aggressively work against fingerprinting, but didn’t give a timeline of when the feature will roll out.

Make no mistake, Google is stepping up to the privacy plate, following in the footsteps of Apple, Mozilla and Microsoft. Now that Google’s on board, that’s two-thirds of the internet set to soon benefit.

Facebook makes its first browser API contribution

Facebook today announced that it has made its first major API contribution to Google’s Chrome browser. Together with Google, Facebook’s team created an API proposal to contribute code to the browser, which is a first for the company. The code, like so much of Facebook’s work on web tools and standards, focuses on making the user experience a bit smoother and faster. In this case, that means shortening the time between a click or keystroke and the browser reacting to that.

The first trial for this new system will launch with Chrome 74.

Typically, a browser’s JavaScript engine handles how code is executed and when it will halt for a moment to see if there are any pending input events that it needs to react to. Because even modern JavaScript engines that run on multi-core machines are still essentially single-threaded, the engine can only really do one thing at a time, so the trick is to figure out how to best combine code execution with checking for input events.

“Like many other sites, we deal with this issue by breaking the JavaScript up into smaller blocks. While the page is loading, we run a bit of JavaScript, and then we yield and pass control back to the browser,” the Facebook team explains in today’s announcement. “The browser can then check its input event queue and see whether there is anything it needs to tell the page about. Then the browser can go back to running the JavaScript blocks as they get added.”

Every time the browser goes through that cycle, though, and checks for new events, processes them, a bit of extra time passes. You do this too many times, and loading the page slows down. But if you only check for inputs at slower intervals, the user experience degrades as the browser takes longer to react.

To fix this, Facebook’s engineers created the isInputPending API, which eliminates this tradeoff. The API, which Facebook also brought to the W3C Web Performance Working Group, allows developers to check whether there are any inputs pending while their code is executing.

With this, the code simply checks if there’s something to react to, without having to fully yield control back to the browser and then passing it back to the JavaScript engine.

For now this is just a trial — and since developers have to integrate this into their code, it’s not something that will automatically speed up your browser once Chrome 74 launches. If the trial is successful, though, chances are developers will make use of it (and Facebook surely will do so itself) and that other browser vendors will integrate into through own engines, too.

“The process of bringing isInputPending to Chrome represents a new method of developing web standards at Facebook,” the team says. “We hope to continue driving new APIs and to ramp up our contributions to open source web browsers. Down the road, we could potentially build this API directly into React’s concurrent mode so developers would get the API benefits out of the box. In addition, isInputPending is now part of a larger effort to build scheduling primitives into the web.”

Spy on your smart home with this open source research tool

Researchers at Princeton University have built a web app that lets you (and them) spy on your smart home devices to see what they’re up to.

The open source tool, called IoT Inspector, is available for download here. (Currently it’s Mac OS only, with a wait list for Windows or Linux.)

In a blog about the effort the researchers write that their aim is to offer a simple tool for consumers to analyze the network traffic of their Internet connected gizmos. The basic idea is to help people see whether devices such as smart speakers or wi-fi enabled robot vacuum cleaners are sharing their data with third parties. (Or indeed how much snitching their gadgets are doing.)

Testing the IoT Inspector tool in their lab the researchers say they found a Chromecast device constantly contacting Google’s servers even when not in active use.

A Geeni smart bulb was also found to be constantly communicating with the cloud — sending/receiving traffic via a URL (tuyaus.com) that’s operated by a China-based company with a platform which controls IoT devices.

There are other ways to track devices like this — such as setting up a wireless hotspot to sniff IoT traffic using a packet analyzer like WireShark. But the level of technical expertise required makes them difficult for plenty of consumers.

Whereas the researchers say their web app doesn’t require any special hardware or complicated set-up so it sounds easier than trying to go packet sniffing your devices yourself. (Gizmodo, which got an early look at the tool, describes it as “incredibly easy to install and use”.)

One wrinkle: The web app doesn’t work with Safari; requiring either Firefox or Google Chrome (or a Chromium-based browser) to work.

The main caveat is that the team at Princeton do want to use the gathered data to feed IoT research — so users of the tool will be contributing to efforts to study smart home devices.

The title of their research project is Identifying Privacy, Security, and Performance Risks of Consumer IoT Devices. The listed principle investigators are professor Nick Feamster and PhD student Danny Yuxing Huang at the university’s Computer Science department.

The Princeton team says it intends to study privacy and security risks and network performance risks of IoT devices. But they also note they may share the full dataset with other non-Princeton researchers after a standard research ethics approval process. So users of IoT Inspector will be participating in at least one research project. (Though the tool also lets you delete any collected data — per device or per account.)

“With IoT Inspector, we are the first in the research community to produce an open-source, anonymized dataset of actual IoT network traffic, where the identity of each device is labelled,” the researchers write. “We hope to invite any academic researchers to collaborate with us — e.g., to analyze the data or to improve the data collection — and advance our knowledge on IoT security, privacy, and other related fields (e.g., network performance).”

They have produced an extensive FAQ which anyone thinking about running the tool should definitely read before getting involved with a piece of software that’s explicitly designed to spy on your network traffic. (tl;dr, they’re using ARP-spoofing to intercept traffic data — a technique they warn may slow your network, in addition to the risk of their software being buggy.)

The dataset that’s being harvesting by the traffic analyzer tool is anonymized and the researchers specify they’re not gathering any public-facing IP addresses or locations. But there are still some privacy risks — such as if you have smart home devices you’ve named using your real name. So, again, do read the FAQ carefully if you want to participate.

For each IoT device on a network the tool collects multiple data-points and sends them back to servers at Princeton University — including DNS requests and responses; destination IP addresses and ports; hashed MAC addresses; aggregated traffic statistics; TLS client handshakes; and device manufacturers.

The tool has been designed not to track computers, tablets and smartphones by default, given the study focus on smart home gizmos.

Users can also manually exclude individual smart devices from being tracked if they’re able to power them down during set up or by specifying their MAC address.

Up to 50 smart devices can be tracked on the network where IoT Inspector is running. Anyone with more than 50 devices is asked to contact the researchers to ask for an increase to that limit.

The project team has produced a video showing how to install the app on Mac:

Here’s the first official preview of Microsoft’s Chromium-based Edge browser

Microsoft today launched the first official version of its Edge browser with the Chromium engine for Windows 10. You can now download the first developer and canary builds here. The canary builds will get daily updates and the developer builds will see weekly updates. Over time, you’ll also be able to opt in to the beta channel and, eventually, the stable channel.

The company first announced this project last December and the news obviously created quite a stir, given that Microsoft was abandoning its own browser engine development in favor of using an open-source engine — and one that is still very much under the control of Google. With that, we’re now down to two major browser engines: Google’s Chromium and Mozilla’s Gecko.

I used the most recent builds for the last week or so. Maybe the most remarkable thing about using Microsoft’s new Chromium-based Edge browser is how unremarkable it feels. It’s a browser and it (with the exceptions of a few bugs you’d expect to see in a first release) works just like you’d expect it to. That’s a good thing, in that if you’re a Windows user, you could easily use the new Edge as your default browser and would be just fine. On the other hand — at least at this stage of the project — there’s also very little that differentiates Edge with Chromium from Google’s own Chrome browser.

That will change over time, though, with more integrations into the Windows ecosystem. For now, this is very much a first preview and meant to give web and extensions developers a platform for testing their sites and tools.

There are a few points of integration with Microsoft’s other services available already, though. Right now, when you install the Edge preview builds, you get the option to choose your new tab layout. The choices are a very simple new tab layout that only presents a search bar and a few bookmarks and a variation with a pretty picture in the background, similar to what you’d see on Bing. There is, however, also another option that highlights recent news from Microsoft News, with the option to personalize what you see on that page.

Microsoft also says that it plans to improve tab management and other UI features as it looks at how it can differentiate its browser from the rest.

In this first preview, some of the syncing features are also already in place, but there are a few holes here. So while bookmarks sync, extensions, your browsing history, settings, open tabs, addresses and passwords do not. That’ll come in some of the next builds, though.

Right now, the only search engine that’s available is Bing. That, too, will obviously change in upcoming builds.

Microsoft tells me that it prioritized getting a full end-to-end browser code base to users and setting up the engineering systems that will allow it to both push regular updates outside of the Windows update cycle and to pull in telemetry data from its users.

Most of the bugs I encountered where minor. Netflix, though, regularly gave me trouble. While all other video services I tried worked just fine, the Netflix homepage often stuttered and became unresponsive for a few seconds.

That was the exception, though. In using the new Edge as my default browser for almost a week, I rarely ran into similar issues and a lot of things ‘just work’ already. You can read PDFs in the browser, just like you’d expect. Two-factor authentication with a Yubikey to get into Gmail works without an issue. Even complex web apps run quickly and without any issues. The extensions I regularly use, including LastPass, worked seamlessly, no matter whether I installed them from the Google store or Microsoft’s library.

I also ran a few benchmarks and unsurprisingly, Edge and the latest version of Chrome tend to score virtually the same results. It’s a bit too early in the development process to really focus on benchmarks, but the results are encouraging.

With this release, we’re also getting our first official look at using extensions in the new Edge. Unsurprisingly, Microsoft will offer its own extension store, but with the flip of a switch in the settings, you’ll also be able to install and use extensions from third-party marketplaces, meaning the Chrome Web Store. Extension developers who want to add their tools to the Microsoft marketplace can basically take their existing Chrome extensions and use those

Microsoft’s promise, of course, is that it will also bring the new Edge to Windows 7 and Windows 8, as well as the Mac. For now, though, this first version is only available on 64-bit versions of Windows 10. Those are in the works, but Microsoft says they simply aren’t quite as far along as the Windows 10 edition. This first release is also English-only, with localized versions coming soon, though.

While anybody can obviously download this release and give it a try, Microsoft stressed that if you’re not a tech enthusiast, it really isn’t for you. This first release is very much meant for a technical audience. In a few months, though, Microsoft will surely start launching more fully-featured beta versions and by that time, the browser will likely be ready for a wider audience. Still, though, if you want to give it a try, nobody is stopping you today, no matter your technical expertise.

Google has quietly added DuckDuckGo as a search engine option for Chrome users in ~60 markets

In an update to the chromium engine, which underpins Google’s popular Chrome browser, the search giant has quietly updated the lists of default search engines it offers per market — expanding the choice of search product users can pick from in markets around the world.

Most notably it’s expanded search engine lists to include pro-privacy rivals in more than 60 markets globally.

The changes, which appear to have been pushed out with the Chromium 73 stable release yesterday, come at a time when Google is facing rising privacy and antitrust scrutiny and accusations of market distorting behavior at home and abroad.

Many governments are now actively questioning how competition policy needs to be updated to rein in platform power and help smaller technology innovators get out from under the tech giant shadow.

But in a note about the changes to chromium’s default search engine lists on an Github instance, Google software engineer Orin Jaworski merely writes that the list of search engine references per country is being “completely replaced based on new usage statistics” from “recently collected data”.

Their choices appear to loosely line up with top four marketshare.

The greatest beneficiary of the update appears to be pro-privacy Google rival, DuckDuckGo, which is now being offered as an option in more than 60 markets, per the Github instance.

Previously DDG was not offered as an option at all.

Another pro-privacy search rivals, French search engine Qwant, has also been added as a new option — though only in its home market, France.

Whereas DDG has been added in Argentina, Austria, Australia, Belgium, Brunei, Bolivia, Brazil, Belize, Canada, Chile, Colombia, Costa Rica, Croatia, Germany, Denmark, Dominican Republic, Ecuador, Faroe Islands, Finland, Greece, Guatemala, Honduras, Hungary, Indonesia, Ireland, India, Iceland, Italy, Jamaica, Kuwait, Lebanon, Liechtenstein, Luxembourg, Monaco, Moldova, Macedonia, Mexico, Nicaragua, Netherlands, Norway, New Zealand, Panama, Peru, Philippines, Poland, Puerto Rico, Portugal, Paraguay, Romania, Serbia, Sweden, Slovenia, Slovakia, El Salvador, Trinidad and Tobago, South Africa, Switzerland, UK, Uruguay, US and Venezuela.

“We’re glad that Google has recognized the importance of offering consumers a private search option,” DuckDuckGo founder Gabe Weinberg told us when approached for comment about the change.

DDG has been growing steadily for years — and has also recently taken outside investment to scale its efforts to capitalize on growing international appetite for pro-privacy products.

Interestingly, the chromium Github instance is dated December 2018 which appears to be around about the time when Google (finally) passed the Duck.com domain to DuckDuckGo, after holding onto the domain and pointing it to Google.com for years.

We asked Google for comment on the timing of the changes to search engine options in chromium. At the time of writing the search giant had not responded.

We’ve also reached out to Qwant for comment on being added as an option in its home market.

 

Google Chrome could soon let you mute annoyingly noisy websites

 Websites that auto-load videos with sound may soon be a thing of the past — or, at least, your days of having to put up with them could be. That’s because Google is testing a new option that lets users permanently mute a website within the Chrome Browser. Noisy websites have long been a pain. Chrome introduced an indicator to flag guilty tabs a couple of years ago — it had… Read More

Google makes Chrome 15% faster on Windows

chrome Google is currently making a concerted effort to make its Chrome browser faster and leaner. The company announced a project to bring down memory usage earlier this month, for example. But it also quietly started work on some other optimizations recently, too, that add up to making Chrome on Windows run about 15 percent faster than before. Starting with the Chrome 53 release of 64-bit… Read More